4 Q Mississippi Business Journal Q April 14, 2017 TECHNOLOGY
Donâ€™t let cybersecurity Wag the Dog W
hen â€œthe tail is wagging the dogâ€?, you know that something has gone wrong. Priorities are not straight, and a part of the system does not understand its role. Providers of offense-oriented security services, such as penetration testing and red team engagements (which Iâ€™ve described in previous articles), often make draconian recommendations that, in pursuit of least effort, wind up impacting your ability to do business. When you get these recommendations, you should ask yourself: Is this vendor acting like a partner in my business, or are they content with it being inhibited as a result of their recommendations? We often review clientsâ€™ previous penetration testing reports, to give them advice on moving forward with better testing and security practices. These reports, provided by security vendors of all sizes, often include completely unrealistic advice. On more than one occasion, we have seen reports that recommended that organizations disable a protocol that is critical to many organizationsâ€™ ability to connect computers to the network (DHCP) in a misguided attempt to prevent â€œrogueâ€? devices from connecting. In most organizations, including these speciďŹ c clients, removing that protocol would have incurred a signiďŹ cant amount of effort, with little
gain in security. If the recommendation were blindly followed without planning, it would have caused the network to fail. As a fun exercise, go ask your IT staff right now what the impact of disabling DHCP right now, for â€œsecurity purposesâ€?, would be. Youâ€™ll likely detect some amount of terror in their face. If they have a sense of humor, they may respond with something like: â€œYouâ€™ll be perfectly secure, because within a day, nothing will be able to connect to the networkâ€?. Unrealistic recommendations extend past the technical realm. Many security testing vendors make recommendations that put too much responsibility in the hands of individual users. While users need to be aware of security policies and their importance, most do not have the technical background needed to conďŹ dently evaluate the safety of every single email they read, or website they visit. While techniques for identifying phishing attempts and other attacks are covered in user training, not all hackers and scammers use poor grammar and obvious attempts to convince people to download malicious software. An end-user cannot be expected to be both the ďŹ rst and last line of defense for an organization.
Realistic and useful security practices and monitoring must acknowledge and account for the eventual compromise of individualsâ€™ workstations. Recommendations that are not actionable are essentially useless. After all, extreme recommendations like, â€œturn it off!â€? will make most things Wesley McGrew secure, but not functional. Realistically, good cybersecurity measures will likely inconvenience you, but should not be at the detriment of your ability to operate. You may add steps to the process of logging in. You may have to task IT staff with ďŹ nding alternatives to practices and software that is found to not be secure. You should never, however, get a recommendation from your security testing provider that prevents you from doing business. Availability is as important as the other basic tenets of security (ConďŹ dentiality and Integrity). If it sounds like itâ€™s not actionable, it may be time to get a second opinion from another vendor that has a more realistic approach.
Dr. Wesley McGrew is the Director of Cyber Operations at HORNE Cyber.
Your Small Business Makes Strong Connections We Think Your Internet and Phone Should Too. As a small business, your reputation hinges on your ability to connect with customers.
Thatâ€™s why Cable ONE Business has invested more than $700 million FQNNCTUQXGTVJGRCUVĆ‚XG[GCTUVQWRITCFGCPFGZRCPFQWTPGVYQTMU and services. As a result, we offer greater access to the latest technologies for the strong, dependable and affordable connections you need to build your business. 5QKH[QWTKPVGTPGVQTRJQPGUGTXKEGKUDTGCMKPIWRQP[QWUYKVEJVQ%CDNG10'$WUKPGUU and strengthen your customer connections.
Call 855.692.4145 or visit business.cableone.net and pump up your potential!
Offer limited to Cable ONE Business serviceable areas. All services not available in all areas. Call for additional details, levels of service, pricing and applicable restrictions.
Mississippi Business Journal, MBJ, Focus, Health Care